Linux Hardening Checklist 2025: Secure Your Server in 10 Steps
Securing a Linux server is essential in today’s threat landscape. Whether you are running a web server, database, or application host, following security best practices protects your data and infrastructure. This comprehensive Linux hardening checklist covers the essential steps to secure your server against common attacks and vulnerabilities.
📑 Table of Contents
1. Keep Your System Updated
Regular updates patch security vulnerabilities and fix bugs. Enable automatic security updates to ensure your system stays protected.
# Debian/Ubuntu
sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
# RHEL/CentOS
sudo dnf update -y
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer2. Configure SSH Security
SSH is the primary remote access method and must be properly secured. Disable root login, use key-based authentication, and change the default port.
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Port 2222
MaxAuthTries 3
AllowUsers yourusername
sudo systemctl restart sshd3. Configure Firewall Rules
Use ufw or firewalld to control network access. Only open ports that are absolutely necessary for your services.
# UFW example
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # Custom SSH port
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable4. Install Fail2Ban
Fail2Ban monitors log files and bans IP addresses that show malicious behavior like repeated failed login attempts.
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo systemctl enable --now fail2ban5. Disable Unnecessary Services
Review running services and disable those you do not need. Each running service is a potential attack vector.
systemctl list-units --type=service --state=running
sudo systemctl disable --now service-name6. Configure AppArmor or SELinux
Mandatory Access Control systems like AppArmor (Ubuntu/Debian) or SELinux (RHEL/CentOS) provide additional security layers by restricting what processes can do.
7. Set Up Log Monitoring
Monitor system logs for suspicious activity. Consider tools like Logwatch, OSSEC, or centralized logging with the ELK stack.
8. Implement Strong Password Policies
# /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -19. Regular Security Audits
Use tools like Lynis to perform regular security audits and identify areas for improvement.
sudo apt install lynis
sudo lynis audit system10. Implement Backup Strategy
Regular backups are your last line of defense. Follow the 3-2-1 rule: three copies, two different storage types, one offsite location.
Conclusion
Server security is an ongoing process, not a one-time task. Regularly review your security posture, stay informed about new vulnerabilities, and keep your systems updated to maintain a secure environment.
Was this article helpful?
About Ramesh Sundararamaiah
Red Hat Certified Architect
Expert in Linux system administration, DevOps automation, and cloud infrastructure. Specializing in Red Hat Enterprise Linux, CentOS, Ubuntu, Docker, Ansible, and enterprise IT solutions.